[joomla] PHP magic_quotes_gpc
Gary Mort
garyamort at gmail.com
Sat Oct 24 16:39:08 EDT 2009
It's not a matter of version of Joomla, but rather philosophy of PHP
developers.
Turning magic quotes on sanitizes variables automatically so they have less
potential for causing database injection attacks.
Initially, this was suggested as "more secure" because it means the
programmer doesn't have to sanitize the data.
Then the problem is that big apps[like Joomla] get installed on lots of
different platforms, so you can't count on it being turned on.
What is worse, is that you have to use 2 different lines of code for
retrieving variables based on whether magic quotes is on or off. So when
you have software which can be deployed on platforms you have no control
over, now one line of code has become 4, because you have to do an if/else
clause for every variable retrieval.
So what was initially created to aid programmers in being lazy now causes
more work for programmers. Hence programmers forced to do more work
inaccurately will say it is less secure because their doing more work.
The long and the short of it is, magic quotes has no impact on server
security. It's the PHP programming that will have that impact.
On Sat, Oct 24, 2009 at 3:46 PM, David A. Roth <davidalanroth at gmail.com>wrote:
>
> So my big question for this wet Saturday afternoon is, should this be
> OFF for all modern installations of Joomla, or it isn't a security
> issue anymore?
>
> Yes, I plan to upgrade all the Joomla web sites to the latest. I
> presume the best way to do this is follow the chain of patches?
>
>
>
Actually, no you can't upgrade from 1.0 to 1.5 - instead you migrate.
Depending on how many components you have this may or may not be painful.
The way we did it recently was to create a dev snapshot of a production
system.
Then installed the migrator component to export all the base joomla stuff.
Then we created another dev site and installed 1.5 onto it, importing the
migration file during setup.
Then we enabled the legacy mode plugin. I copied over the tables for some
existing components[advanceSEF and Zoomgallery] and then installed the
latest versions of those components to the 1.5 site.
We copied over the contents of the 1.0 templates directory and those worked
in 1.5 with legacy enabled.
Than we updated the templates to 1.5 and turned off legacy mode.
Finally once we were sure the site was correct, the dev site was backed up
and restored to production.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20091024/4a0115df/attachment.html>
More information about the Joomla
mailing list